1. 18

  2. 4

    Nix has a feature where package builds are executed inside a restricted sandbox. If you installed my pip package via Nix, sounds like you’d be totally safe. Well, assuming you enabled that feature, which is not enabled by default on macOS.

    In a multi-user install (which is the default on macOS), builds are run under a set of build users. This is independent from whether one has the sandbox enabled or not, so as long as your home directory is properly restricted, you’d be safe at build time.

    Of course, this doesn’t stop runtime shenanigans…

    1. 1

      I don’t understand why the capabilties security model isn’t more widely used.

      When I run an app or script, I usually have a good idea of what it should be able to do, and in particular what it should not do: write or read most places in my filesystem (except a specific few I allow it to you). I also know whether it needs internet access, and many other things. The newer Mac OS’s seem to partially implement this idea, but it should be easier, and easier to apply to things like scripts. It is the only model I can ever see actually working.